XSS in "add to watchlist" link on artefact detail screen

Bug #1472439 reported by Aaron Wells on 2015-07-08
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Aaron Wells
1.10
High
Aaron Wells
1.8
High
Aaron Wells
1.9
High
Aaron Wells
15.04
High
Aaron Wells
15.10
High
Aaron Wells

Bug Description

Issue reported by Yuji Tounai through <email address hidden>

On artefact detail screens, when we you click on the "add to watchlist" link, we use AJAX to update the link to read "remove from watchlist". But, we are not properly escaping the page title in that AJAX, which makes it possible to execute Javascript that has been placed in the page title.

To replicate:

1. Create a portfolio Page
2. Give the page this title:

"><img src=0 onerror=alert(location)>

3. Put an image block in the page.
4. View the page in display mode.
5. Click on the link to view the artefact detail screen for the image
6. At the bottom of the artefact detail screen, click on the link that reads "Add page ""><img src=0 onerror=alert(location)>" to watchlist" or "Remove page ""><img src=0 onerror=alert(location)>" to watchlist"

Expected result: The page should be added or removed from your watchlist, and the link title should show the HTML-escaped version of the page title.

Actual result: The page is added or removed from your watchlist, but the link title is not HTML-escaped and Javascript "alert(location)" executes.

CVE References

Aaron Wells (u-aaronw) wrote :

This bug was introduced in Mahara 1.8, when we changed the "Add page to watchlist" link on artefact detail pages to include the page title.

information type: Public → Private Security
Changed in mahara:
status: New → In Progress
tags: added: regression watchlist
Aaron Wells (u-aaronw) wrote :
Aaron Wells (u-aaronw) wrote :

Here's the fix patch for 1.9_STABLE: https://reviews.mahara.org/#/c/4927

Aaron Wells (u-aaronw) wrote :

On further reflection I'm downgrading this one from "Critical" to "High", because there are a couple of mitigating factors:

1. The attacker has to have an account (i.e., be able to create or edit a page title)

2. The victim must be logged in (to have access to the watchlist link)

Aaron Wells (u-aaronw) on 2015-07-10
information type: Private Security → Public Security
Aaron Wells (u-aaronw) on 2015-07-10
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers